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ABSTRACT 

The  United  States  Army  Corps  of  Engineers  (USACE)  conducts  Security  Risk 
Assessments  (SRAs)  at  its  most  consequential  dam  projects.  The  Common  Risk  Model 
for  Dams  (CRM-D)  provides  a  mathematically  rigorous  and  easy-to-implement  way  to 
conduct  SRAs.  The  CRM-D  quantifies  risk  as  the  product  of  the  probability  of  a 
successful  attack,  given  it  is  attempted,  and  consequences.  Referred  to  as  conditional 
risk,  this  decision  metric  is  the  expected  loss  given  a  specified  attack  is  attempted  on  a 
particular  target.  A  specified  attack  (consisting  of  an  attacker  type  and  an  attack  vector) 
carried  out  on  a  particular  target  comprises  a  scenario. 

The  CRM-D  considers  three  attacker  types  and  thirty-two  attack  vectors  identified  by 
USACE  Headquarters  (HQs).  A  dam  with  only  a  modest  number  of  critical  assets  could 
thus  have  several  hundred  scenarios  and,  consequently,  several  hundred  conditional  risk 
estimates.  This  paper  introduces  a  decision  metric,  exposure,  which  allows  the  analyst  to 
aggregate  conditional  risk  estimates  across  scenarios.  The  analyst  can  use  exposure  to 
compare  risks  by  attack  type,  by  target  or  for  any  useful  set  of  scenarios.  These 
comparisons  can  guide  an  analyst  in  determining  a  proposed  set  of  security  upgrades.  A 
standard  set  of  graphics  and  retum-on-investment  calculations  based  on  exposure  are 
introduced  that  summarize  the  current  level  of  risk  at  a  dam  project  as  well  as  the  reduced 
level  of  risk  should  the  set  of  recommended  security  upgrades  be  implemented. 

INTRODUCTION 

In  2005,  the  Institute  for  Defense  Analyses  (IDA)  initiated  the  development  of  the 
Common  Risk  Model  (CRM)  for  evaluating  and  comparing  risks  associated  with  the 
Nation’s  critical  infrastructure.  This  model  incorporates  commonly  used  risk  metrics  that 
are  designed  to  be  transparent,  simple,  and  mathematically  justifiable.  The  CRM  also 
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enables  comparisons  of  risks  to  critical  assets  both  within  and  across  critical 
infrastructure  sectors. 

Over  the  past  few  years,  an  extended  version  of  the  CRM  has  been  under  development  by 
IDA  in  collaboration  with  the  US  ACE  and  the  U.S.  Department  of  Homeland  Security 
(DHS).  The  extended  model — Common  Risk  Model  for  Dams  (CRM-D) — takes  into 
account  the  unique  features  of  dams  and  navigation  locks  and  provides  a  systematic 
approach  for  evaluating  and  comparing  risks  from  terrorist  threats  across  a  large 
portfolio6  (Seda-Sanabria  et  al.,  2011a). 

In  general,  the  risk  for  an  attack  scenario  is  considered  to  be  a  function  of  three  variables: 
threat — the  likelihood  of  an  attack  scenario  being  chosen  by  adversaries;  vulnerability  — 
the  likelihood  of  defeating  the  target’s  defenses,  given  that  the  attack  is  chosen;  and 
estimated  consequences  of  the  attack,  given  the  target’s  defenses  are  defeated  (DHS 
2013).  Therefore,  it  can  be  stated  that 


R=/(T,V,C),  (1) 

where  R  is  risk,  T  is  threat,  V  is  vulnerability,  and  C  is  the  consequences.  A  widely  used 
approach  is  to  define  the  risk  function  as  the  product  of  these  three  variables: 

R  =  T  x  V  x  C.  (2) 

Threat,  denoted  as  P(A),  is  defined  as  the  probability  that  a  given  attack  scenario  is 
chosen,  conditional  on  one  of  the  attack  scenarios  in  the  portfolio  being  chosen  within  a 
specified  timeframe  (usually  taken  to  be  a  year).  Vulnerability  is  defined  as  the 
conditional  probability  that  a  given  attack  vector  will  successfully  defeat  the  target’s 
defenses,  given  the  attack  scenario  is  chosen,  or  P(S|A).  Consequences,  denoted  as  C,  are 
defined  in  terms  of  lives  lost  and  economic  loss  given  that  the  attack  successfully 
breaches  all  of  the  defenses  protecting  the  scenario  target.  Thus 

R  =  P(A)  x  P(S|A)  x  C.  (3) 

One  can  also  define  conditional  risk  for  a  scenario,  Rc: 

Rc  =  V  x  C  =  P(S|A)  x  C.  (4) 

Rc  is  conditional  on  the  adversary’s  choice  of  a  specific  scenario.  Calculating  conditional 
risks  for  all  scenarios  can  be  useful  to  an  analyst  at  a  dam  project  as  this  knowledge  can 
inform  decisions  regarding  how  to  improve  the  security  measures  at  the  dam’s  facility. 
The  next  section  provides  an  overview  of  how  conditional  risk  is  estimated  in  CRM-D. 


6  A  portfolio  is  a  set  of  dam  projects  evaluated  by  a  risk  analyst. 
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BASIC  CONCEPTS:  THE  COMMON  RISK  MODEL  FOR  DAMS 


A  conceptually  simple  model  of  layered  defenses  is  used  to  evaluate  the  conditional  risk 
of  a  given  critical  infrastructure  target.  As  an  example,  Figure  1  represents  the  case  of  a 
target  protected  by  three  notional  defensive  layers. 


Figure  1.  Conceptual  Model  of  Layered  Defenses 

For  the  target  to  be  successfully  attacked,  each  defensive  layer  providing  some  form  of 
protection  would  need  to  be  successfully  breached.  For  the  case  shown  in  Figure  1,  the 
joint  probability  that  a  given  attack,  if  attempted,  will  be  successful  in  reaching  the  target, 
considering  it  being  attempted  (also  known  as  the  vulnerability  or  P(S|A)),  can  be 
determined  using  the  following  expression:7 


P(S|A)  =  PLi  x  PL2x  PL3.  (5) 

As  part  of  the  CRM-D  development,  a  representative  set  of  physical  attack  vectors  was 
defined  by  USACE  HQ  to  represent  a  wide  spectrum  of  attacks  that  can  be  used  to 
facilitate  the  comparison  of  vulnerability  and  conditional  risk  results  across  a  large 
portfolio.  These  attack  vectors,8  which  assume  high-capability  adversaries  (well-trained 
attackers  with  significant  access  to  resources),  are  listed  in  Table  1  and  are  arranged  by 
categories  known  as  attack  types.  The  twenty-eight  attack  vectors  listed  in  Table  1  are  a 
subset  of  the  thirty-two  total  attack  vectors  defined  by  USACE  HQ  for  various  adversary 
types. 


7  The  CRM-D  model  explicitly  accounts  for  time  delays  in  the  attack  due  to  the  time  it  takes  to  breach 
layers  and  the  time  it  takes  to  traverse  interlayer  distance.  Also  taken  into  account  is  attack  vector 
degradation  due  to  armed  defenders.  Since  these  are  factors  normally  used  in  the  estimation  of  conditional 
probabilities,  CRM-D  simplifies  the  calculation  of  conditional  probabilities  by  assuming  independence 
among  the  probability  estimates  except  for  those  factors  explicitly  accounted  for.  See  Morgeson  et  al., 
“Incorporating  Uncertainties  in  Estimation  of  Vulnerabilities  for  Security  Risk  Assessments.” 

8  The  attack  vectors  used  in  CRM-D  can  be  extended  to  include  additional  attack  vectors  that  are  identified 
over  time. 
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Table  1.  Attack  Vectors  Considered  for  High-Capability  Adversaries 


Attack  Mode 

Attack  Type 

Attack  Vectors 

Land 

VBIED 

Sedan 

Cargo  Van 

Box  Truck 

Large  Truck 

Assault  Team 

Single 

Attacker 

Small-Size 

Cell 

Medium- 
Size  Cell 

Large-Size 

Cell 

Stand-off  Weapon 

Large- 

Caliber 

Rifle 

Rocket- 

Propelled 

Grenade 

Mortar 

Man-portable 
Guided  Missile 

Sabotage 

Insider 

Outsider 

- 

- 

Excavating  Attack 

Mechanical 

Kinetic 

- 

- 

Water 

Water-borne 
Improvised 
Explosive  Device 
(WBIED) 

Inflatable 

Boat 

Small  Boat 

Large  Boat 

Barge 

Underwater  IED 

Surface 

Swimmer 

Subsurface 

Swimmer 

Modified 
Small  Boat 

Semi- 

submersible 

Boat 

Air 

Impact 

Helicopter 

Small 

Airplane 

Narrow- 

body 

Airliner 

Wide-body 

Airliner 

The  probability  that  a  specific  attack  vector  would  be  successful  in  reaching  a  given 
target  depends  on  the  probability  that  each  of  the  defensive  layers  sequentially 
encountered  along  the  attack  path  is  successfully  penetrated.  These  individual  layer 
probabilities,  in  turn,  depend  on  the  type  of  adversary,  the  attack  vector  chosen,  and  the 
strength  of  the  defenses  at  the  particular  layer  (Morgeson  2013).  To  illustrate  the  concept, 
assume  that  a  given  target  T-l  is  protected  by  three  defensive  layers  (Li,  L2,  and  L3).  For 
a  given  attack  vector  denoted  as  AV-1,  the  overall  probability  of  success  for  the  scenario 
defined  by  attack  vector  AV-1  and  the  target  T-l  is  the  joint  probability  of  successfully 
penetrating  all  three  layers.  For  this  scenario,  equation  5  can  be  written  using  the 
following  notation: 

P(S|A)overall  =  P(S|A)aV-1,  LI  X  P(S|A)  AV-1,  L2  X  P(S|A)  AV-1,  L3.  (6) 

Equation  7  is  an  example  of  the  calculation  in  equation  6  using  notional  estimates  for  the 
probabilities  for  each  layer. 


P(S|A)oVeraii  =  0.2  X  0.7  X  0.9  =  0.126.  (7) 

As  defined  in  equation  4,  conditional  risk  is  the  product  of  the  probability  of  successful 
attack  (given  that  that  attack  is  attempted)  multiplied  by  the  corresponding  consequences. 
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For  illustrative  purposes,  assume  that  the  consequences  of  a  successful  attack  on  target 
T-l  is  estimated  to  be  $1  million  (M),  and  therefore 

Rc  =  P(S|A)  x  C  =  0.126  x  $1M  =  $126,000.  (8) 

Rc  is  the  expected  loss  given  a  hypothetical  attack  on  target  T-l  protected  by  layers  Li, 
L2,  and  L3.  Therefore,  for  every  attack  scenario  (i.e.,  combination  of  an  adversary  type,  a 
specific  attack  vector,  and  a  given  target),  the  CRM-D  methodology  provides  a 
systematic  approach  to  estimate  conditional  risk.  Table  2  contains  conditional  risk 
calculations  for  a  set  of  scenarios  at  a  notional  dam. 

Table  2.  Conditional  Risk  for  Selected  Attack  Scenarios  for  a  Notional  Dam 


Source :  The  data  in  Table  2  and  associated  graphics  throughout  this  paper  are  drawn  from  Michael  Keleher, 
Steven  Walser,  and  Samuel  Himel,  The  Common  Risk  Model  for  Dams  Support  System:  A  Prototype 
Analyst  Tool  (Alexandria,  VA:  Institute  for  Defense  Analyses,  IDA  Paper  P-5220,  to  be  published).  Values 
in  the  table  are  rounded. 

Note  that  Table  2  contains  forty-eight  conditional  risk  calculations  (highlighted  in  red). 
Yet  this  represents  only  a  fraction  of  conditional  risk  calculations  that  would  be 
performed  at  many  dams.  This  table  includes  only  one  adversary  type,  only  two  attack 
types  (thus  only  eight  attack  vectors),  and  only  three  assets.  The  challenge  facing  a  risk 
analyst  is  how  to  summarize  the  data  contained  in  pages  and  pages  of  such  tables  in  a 
way  that  informs  decisions  about  potential  security  upgrades. 
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INTRODUCING  EXPOSURE 


The  purpose  of  calculating  conditional  risks  for  many  scenarios  is  ultimately  to  help  the 
decision  maker  understand  how  to  reduce  such  risks  most  effectively  by  investing  in 
security  improvements.  The  goal  is  to  compare  risks  among  different  target  assets  at  a 
dam,  for  different  types  of  attack  vectors,  or  for  different  dams  within  a  portfolio  of 
dams.  To  make  any  of  these  comparisons,  it  is  necessary  to  aggregate  risks  across 
scenarios.  Conditional  risk  cannot  be  aggregated  across  scenarios  because  by  definition, 
each  conditional  risk  estimate  is  based  on  the  adversary  choosing  that  scenario.  A 
different  decision  metric  (other  than  conditional  risk  alone)  is  needed. 

A  decision  metric  is  needed  that  retains  the  essential  information  contained  in  conditional 
risk  for  each  scenario  considered,  but  also  quantitatively  summarizes  conditional  risk 
across  multiple  scenarios  in  order  to  inform  decision  makers  as  they  contemplate 
potential  security  upgrades.  Because  the  metric  is  intended  to  inform  decision  makers,  the 
metric  should  ideally  be  intuitive.  This  paper  introduces  such  a  metric:  exposure. 

Defining  Exposure 

Exposure  is  defined  as  human  lives  and  economic  value  at  risk  due  to  an  attack.  Exposure 
can  be  determined  for  any  set  of  scenarios  (including  a  single  scenario)  of  interest  to  the 
analyst.  Even  when  exposure  is  used  as  a  summary  metric  for  multiple  scenarios,  it  is 
defined  as  human  lives  or  economic  value  at  risk  due  to  a  potential  attack.  Intuitively,  the 
number  of  human  lives  at  risk  from  a  single  attack  at  a  specified  dam  cannot  exceed  the 
maximum  number  of  lives  lost  considering  all  scenarios  at  that  dam.  Consequently, 
exposure,  measured  in  terms  of  lives  lost,9  for  any  set  of  scenarios,  will  never  exceed  the 
maximum  possible  lives  lost  from  any  individual  scenario  in  the  set.  For  example, 
consider  Table  3  which  presents  the  consequences  in  terms  of  loss  of  life  for  selected 
scenarios  at  a  notional  dam.  The  largest  loss  of  life  from  any  single  scenario  is  one 
hundred  (for  the  scenario  involving  the  large  truck  vehicle-borne  improvised  explosive 
device  [VBIED]  against  the  impoundment).  Exposure  for  any  subset  of  these  scenarios 
(including  exposure  for  all  the  scenarios  in  Table  3)  will  not  exceed  one  hundred.  The 
analyst  can  usefully  compare  exposure  calculations  by  attack  type  or  by  asset  or  for  any 
useful  set  of  scenarios.  The  results  of  these  comparisons  guide  a  decision  maker  who  is 
determining  the  most  effective  set  of  proposed  security  upgrades. 

Calculating  Exposure 

The  considerations  discussed  in  the  previous  section  suggest  calculating  exposure  for  a 
set  of  scenarios  as  a  weighted  sum  of  the  conditional  risk  estimates  for  each  scenario  in 


9  Exposure  is  defined  and  calculated  both  in  terms  of  human  lives  and  economic  value.  The  calculations  for 
human  lives  and  economic  value  are  always  done  separately,  just  as  conditional  risk  calculations  are  made 
separately.  In  the  examples  throughout  the  paper,  either  human  lives  or  economic  value  will  be  chosen  to 
illustrate  a  particular  point. 
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the  set.10  There  are  numerous  weighting  schemes11  that  an  analyst  could  choose. 
Considering  the  previously  stated  goals  of  a  metric  that  (1)  preserves  the  essential 
information  contained  in  conditional  risk  estimates  and  (2)  is  intuitive  to  decision  makers, 
the  authors  propose  the  following  method  for  calculating  exposure.  Exposure — denoted 
Rc’ — for  any  set  of  scenarios,  is  the  sum  of  scaled  conditional  risk  for  each  scenario  so 
that  (1)  the  scaling  factor  for  each  scenario  is  the  same  and  (2)  the  exposure  for  the  set  of 
all  scenarios  at  an  undefended  dam  (i.e.,  when  P(S|A)  equals  1.0  for  each  scenario)  is 
equal  to  the  consequences  of  the  individual  scenario  that  equals  or  exceeds  the 
consequences  of  all  other  scenarios.  (This  value  of  consequences  is  referred  to  as  Cmax; 
see  example  below.) 

A  dam  (considered  as  an  aggregation  of  all  the  critical  assets  at  the  dam)  cannot  be  more 
exposed,  that  is,  suffer  more  than  the  worst  consequences  a  given  adversary  type  can 
impose  in  a  single  attack.  The  exposure  for  each  scenario  is  its  conditional  risk  multiplied 
by  a  scaling  constant,  denoted  by  “k.”  Scaling  conditional  risk  allows  for  a  realistic  and 
valid  comparison  of  conditional  risks,  both  at  a  dam  and  among  a  portfolio  of  dams, 
without  sacrificing  the  valuable  information  embedded  in  the  conditional  risk  estimate. 
Exposure  allows  one  to  compare  different  sets  of  attack  vectors  or  different  assets  at  a 
dam.  It  also  permits  estimates  of  the  relative  values  of  different  sets  of  security  upgrades 
by  observing  the  amount  of  reduction  in  exposure  following  the  application  of  each  set  of 
security  upgrades.  Table  3  illustrates  how  exposure  would  be  calculated  for  a  set  of 
scenarios  at  a  notional  dam.  In  Table  3, 

•  C  indicates  consequences,  in  loss  of  life  for  an  individual  scenario. 

•  Cjotal  is  the  sum  of  consequences  for  all  scenarios  considered  in  the  table. 

•  Cmax  is  the  largest  C  for  an  individual  scenario  under  consideration  in  the  table 

•  k  =  Cmax/Ctotal- 

•  Exposure  is  denoted  Rc',  and  is  calculated  as  Rc'  =  k  x  Rc. 

•  Rc'as-is  indicates  the  exposure  for  a  scenario,  given  the  current  security  measures 
present  at  the  dam  project. 


10  The  notion  of  aggregating/summarizing  a  collection  of  conditional  risks,  with  each  conditional  risk  tied 
to  a  distinctly  unique  conditioning  event,  may  be  considered  analytically  unsatisfying.  Such  a  decision 
metric  has  no  physical  interpretation;  nor  does  it  have  a  stochastic  interpretation,  such  as  an  expected  value 
of  loss.  Nevertheless,  it  is  a  useful  decision  metric  to  decision  makers  because  they  must  consider  the 
magnitude  of  overall  risk  exposure  and  not  isolated  events. 

11  See  discussion  in  this  paper  on  alternative  metrics. 
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Table  3.  Exposure  (Loss  of  Life)  for  Selected  Scenarios  from  a  Notional  Dam 


Attack 

Type 

Attack 

Vector 

Target  Asset 

C 

P(S  |  A) 

P(S  |  A)  x  C 

=  Rc 

kx  Rc  = 

RcAs-Is 

Cjotal  -  I  C  -  151;  CMax  -  100;  k  -  CMAx/Ctotal  - 

100/151  =  0.66 

Impoundment 

Sedan 

1 

1.0 

1.0 

0.66 

VBIED 

Van 

1 

1.0 

1.0 

0.66 

Box 

Truck 

1 

1.0 

1.0 

0.66 

Large 

Truck 

100 

1.0 

100 

66 

Control  Center 

Single 

Attacker 

11 

.58 

6.4 

4.2 

Small 

Cell 

11 

.81 

8.9 

5.9 

Medium 

Cell 

11 

1.0 

11.0 

7.3 

Assault 

Large 

Cell 

11 

1.0 

11.0 

7.3 

Team 

Turbines  and  Generators 

Single 

Attacker 

1 

.58 

0.58 

0.38 

Small 

Cell 

1 

.81 

0.81 

0.53 

Medium 

Cell 

1 

1.0 

1.0 

0.66 

Large 

Cell 

1 

1.0 

1.0 

0.66 

USING  EXPOSURE  TO  DEVELOP  RISK  MITIGATION  OPTIONS 

A  Risk  Mitigation  Option  (RMO)  is  a  package  of  security  upgrades  intended  to  reduce 
exposure  at  critical  assets  and  components  of  a  dam  project.  The  upgrades  consist  of 
improvements  or  additions  to  the  defensive  layers  at  the  project.  Options  are  constrained 
in  practice  by  command  guidance  such  as  funding  limitations  or  operational 
considerations. 

The  decision  metric  that  will  be  used  to  evaluate  potential  RMOs  is  the  net  reduction  in 
the  exposure  for  the  set  of  all  scenarios  considered  at  the  project.  Exposure  for  a  dam  in 
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its  current  security  configuration  is  denoted  Rc’as-is.  It  is  calculated  using  conditional  risk 
estimates  for  each  scenario  based  on  the  P(S|A)  values  for  the  current  defensive 
configuration  at  each  layer  protecting  the  dam.  Rc’rmo  denotes  exposure  for  the  dam 
after  implementing  the  proposed  RMO.  It  is  calculated  using  conditional  risk  estimates 
for  each  scenario  based  on  revised  P(S|A)  values  resulting  from  the  proposed  defensive 
configurations. 

Exposure  was  introduced  to  help  the  analyst  use  conditional  risk  estimates  to  develop 
RMOs  that  effectively  reduce  risk.  Exposure,  calculated  by  summing  scaled  conditional 
risk  values  over  different  sets  of  scenarios,  is  particularly  helpful  in  answering  two 
questions  from  the  dam  owner/operator  perspective: 

1)  Which  targets  are  currently  the  most  exposed? 

2)  Which  attack  vectors  currently  cause  the  most  exposure? 

The  first  question  is  addressed  by  calculating  exposure  for  each  asset  at  the  dam.  That  is, 
calculate  the  sum  of  scaled  conditional  risk  estimates  over  each  scenario  involving  a 
particular  asset.  Similarly,  the  second  question  is  addressed  by  calculating  exposure  for 
each  attack  type.  That  is,  calculate  the  sum  of  scaled  conditional  risk  estimates  over  each 
scenario  involving  a  particular  attack  type.  In  the  next  section,  graphics  are  introduced 
that  help  the  analyst  answer  these  two  questions. 

Graphical  Displays  to  Help  Develop  RMOs 

Each  scenario  contributes  to  the  overall  exposure  at  a  dam  project.  In  order  for  an  analyst 
to  recommend  security  upgrades  that  efficiently  reduce  that  level  of  exposure,  it  would  be 
helpful  to  know  which  scenarios  contribute  the  most  to  the  overall  level  of  exposure.  As 
previously  mentioned,  this  can  be  analyzed  by  asset  or  by  attack  type.  Pie  charts  are  an 
intuitive  way  to  display  this  information. 

Figures  2  through  4  show  how  exposure  is  distributed  over  assets  and  attack  vectors  for 
current  defenses  at  a  notional  dam.  Charts  such  as  these  inform  the  analyst  during  the 
process  of  building  RMOs.  Rc’as-is  is  calculated  for  the  set  of  all  scenarios;  each  wedge 
in  the  pie  charts  represents  the  percentage  of  that  total  that  is  contributed  by  the  set  of 
scenarios  that  only  involve  the  asset  (or  attack  type)  indicated. 
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Figure  2.  Distribution  of  Loss-of-Life  Exposure  Over  Assets  for  “As-Is”  Defenses 
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Figure  3.  Distribution  of  Economic  Exposure  Over  Assets  for  “As-Is”  Defenses 

Figures  2  and  3  both  display  relevant  information  to  help  answer  the  question,  “Which 
targets  are  currently  the  most  exposed?”  Notice,  for  example,  in  Figure  3,  the  analyst 
and/or  decision  maker  can  see  immediately  that  roughly  three  quarters  of  all  economic 
exposure  is  contributed  by  scenarios  involving  only  two  assets — the  components  in  the 
powerhouse  and  the  main  impounding  structure.  Figure  2,  on  the  other  hand,  shows  that 
the  largest  exposure  in  terms  of  loss  of  life  is  at  the  visitor  center.  These  types  of  insights 
are  invaluable  to  an  analyst  as  he  or  she  considers  where  to  propose  security  upgrades  at 
the  dam  project. 

The  same  type  of  analysis  can  be  conducted  by  attack  type.  Figure  4  helps  answer  the 
question,  “Which  attack  vectors  currently  cause  the  most  exposure?”  It  shows  that 
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roughly  three  quarters  of  total  exposure  at  the  project  is  attributed  to  scenarios  involving 
VBIEDs  and  Assault  Teams.  An  analyst  can  also  readily  surmise  that  protecting  against 
land-based  attacks  is  more  likely  to  lower  overall  exposure  than  protecting  against  water¬ 
borne  attacks. 
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Figure  4.  Distribution  of  Loss-of-Life  Exposure  Over  Attack  Vector  Types  for  “As- 

Is”  Defenses 


Graphical  Displays  that  Help  Evaluate  RMOs 

The  pie  charts  in  Figures  2,  3,  and  4  aid  the  analyst  in  creating  RMOs  designed  to  better 
protect  certain  assets  or  to  better  protect  against  certain  types  of  attacks  where  the  dam  is 
most  exposed.  The  bar  chart  in  Figure  5  quantifies  the  reduction  in  exposure  that  would 
be  achieved  if  the  proposed  RMO  is  implemented.  Figure  5  presents  three  calculations  for 
total  exposure  at  the  project  based  on  three  different  security  configurations  at  the  dam. 
The  red  bar,  denoted  Re’ undefended,  represents  the  level  of  exposure  if  there  were  no 
effective  defenses  at  the  dam  project,  that  is,  the  P(S|A)  values  for  every  scenario  is  1.0. 
Mathematically,  this  means  that  Rc  equals  consequences  for  every  scenario.  By 
construction,  Rc’,  in  this  case,  is  equal  to  the  maximum  consequence  level  over  all 
scenarios.  Including  this  calculation  in  the  graphic  allows  the  decision  maker  to  readily 
observe  the  current  state  of  defenses  (represented  by  the  height  of  the  blue  bar)  vis-a-vis 
an  undefended  dam.  The  green  bar  represents  the  level  of  exposure  if  the  proposed  RMO 
was  implemented.  The  percent  reduction  expressed  at  the  top  of  the  chart  is  a  comparison 
of  the  exposure  levels  for  the  RMO  and  the  current  state  of  defenses. 
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Figure  5.  Reduction  in  Loss-of-Life  Exposure  for  RMO 


In  this  particular  notional  example,  the  decision  maker  can  readily  see  that  the  proposed 
RMO  would  reduce  exposure  in  terms  of  loss  of  human  life  by  9  percent. 

Implementing  Exposure 

IDA  has  created  a  training  tool  known  as  the  Common  Risk  Model  for  Dams  Support 
System  (CRM-DSS).  Among  other  things,  this  tool  automates  the  calculation  of  exposure 
and  the  creation  of  all  the  graphics  introduced  in  this  paper.  CRM-DSS  has  successfully 
been  used  to  train  thirty-five  USACE  analysts  to  conduct  a  Security  Risk  Assessment 
(SRA)  based  on  exposure  calculations.  Analysts  have  used  the  tool  to  successfully 
complete  SRAs  at  multiple  dams. 

OTHER  POTENTIAL  METRICS 

Exposure  is  a  weighted  sum  of  conditional  risk  estimates  for  a  particular  set  of  scenarios. 
It  is  not  the  only  possible  solution  for  the  problem  of  summarizing  conditional  risk 
estimates  across  scenarios.  Other  weighted  sums  were  considered;  each  has  its  own 
strengths  and  weaknesses.  For  developing  individual  SRAs  at  individual  USACE  dams, 
exposure  was  deemed  to  have  the  most  desirable  properties  of  various  metrics  that  were 
considered.  The  following  subsections  present  four  alternative  metrics  along  with  a  brief 
discussion  of  their  merits  and  demerits. 

Summing  Conditional  Risk  Estimates 

Perhaps  the  most  intuitive  way  to  combine  conditional  risk  estimates  across  a  set  of 
scenarios  is  to  simply  add  the  conditional  risk  estimates  without  weighting  them.  This 
solution  has  two  significant  disadvantages.  Using  this  metric,  the  measure  of  risk 
attributed  to  a  set  of  scenarios  will  always  increase  as  scenarios  are  added  to  the  set.  Thus 
it  is  theoretically  possible  for  one  dam,  say  Dam  A,  to  have  a  higher  measure  of  risk  than 
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say  Dam  B  simply  because  Dam  A  is  vulnerable  to  more  scenarios  than  Dam  B, 
regardless  of  the  potential  consequences  from  any  one  scenario.  The  second  disadvantage 
is  related  to  the  first.  Using  this  metric,  a  dam  could  have  a  measure  of  risk  that  is  larger 
than  the  possible  consequences  from  any  single  attack. 

Maximum  Possible  Consequences 

Another  possible  weighting  scheme  is  to  give  the  scenario  with  the  largest  consequences 
a  weight  of  1  and  give  all  other  scenarios  a  weight  of  0.  This  appropriately  places  an 
emphasis  on  the  largest  consequence  scenario  but  totally  ignores  all  other  scenarios. 
Imagine  an  RMO  that  recommends  adding  a  water  layer  on  the  downstream  side  of  the 
dam.  This  might  significantly  lower  risk  to  a  number  of  assets  that  can  be  attacked  from 
the  downstream  side.  However,  if  the  largest  consequence  scenario  can  only  be  attacked 
from  upstream,  this  RMO  will  not  reduce  the  measure  of  risk  at  all  if  this  metric  is 
employed. 

Threat  Estimate:  P(A) 

The  CRM-D  contains  a  module  (Kirpichevsky  2012)  that  estimates  the  threat  parameter, 
P(A)  in  equation  (3).  This  parameter  could  be  considered  a  weight  on  conditional  risk  and 
has  some  of  the  desirable  properties  of  exposure.  In  fact,  it  has  the  added  benefit  of 
capturing  the  threat  component  of  risk.  However,  the  P(A)  module  was  developed  for  use 
at  the  portfolio  level. 

Average  Conditional  Risk 

Another  intuitive  weighting  scheme  is  to  use  the  arithmetic  average  of  the  conditional 
risk  estimates  for  all  the  scenarios  in  the  set  of  interest,  thus  equally  weighting  each 
scenario.  Initially,  this  metric  seems  to  be  more  intuitive  than  exposure  and  might  be 
more  easily  explained  to  decision  makers.  It  is  interesting  to  note  that  exposure  is  also  a 
weighting  scheme  in  which  all  the  scenarios  are  equally  weighted.  The  difference  is  that 
in  exposure  the  weights  do  not  necessarily  sum  to  1 .  The  advantage  of  the  weighting 
scheme  used  to  calculate  exposure  is  that  it  has  a  more  intuitive  interpretation, 
particularly  in  the  case  of  an  undefended  dam.  Consider  for  example  the  following 
notional  situation  depicted  in  Table  4.  The  level  of  exposure  at  the  entire  dam  is  100,  but 
the  average  conditional  risk  is  12.5.  In  this  example,  the  average  conditional  risk  is  not  a 
very  descriptive  measure  of  how  exposed  the  dam  is  to  attack,  that  is,  how  much  is  at 
risk.  If  more  scenarios  that  have  little  or  no  conditional  risk  are  added,  the  average 
conditional  risk  becomes  a  summary  metric  that  is  even  less  intuitive. 
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Table  4.  Exposure  (Economic)  for  Select  Scenarios  from  a  Notional  Dam 


Attack 

Type 

Attack 

Vector 

Target  Asset 

C 

P(S  |  A) 

P(S  |  A)  x  C 

=  Rc 

kx  Rc  = 

RcAs-Is 

Ctotal  -  I  C  -  200;  CMax  -  100;  k  -  CMAx/Ctotal  -  100/200  -  0.5 

VBIED 

Impoundment 

Sedan 

20 

1.0 

20 

10 

Van 

30 

1.0 

30 

15 

Box 

Truck 

50 

1.0 

50 

25 

Large 

Truck 

100 

1.0 

100 

50 

Assault 

Team 

Impoundment 

Single 

Attacker 

0 

1.0 

0 

0 

Small 

Cell 

0 

1.0 

0 

0 

Medium 

Cell 

0 

1.0 

0 

0 

Large 

Cell 

0 

1.0 

0 

0 

CONCLUSION 

Exposure  is  an  intuitive  concept  that  provides  risk  analysts  with  a  method  for 
synthesizing  conditional  risk  calculations  across  multiple  scenarios  that  is  easy  to 
calculate.  The  synthesis  of  condition  risk  calculations  at  an  individual  dam  provided  by 
this  new  metric  can  be  presented  to  decision  makers  via  graphical  displays  that  are 
informative  and  easy  to  comprehend.  It  has  been  successfully  tested  in  training  courses 
and  in  actual  SRAs  conducted  at  US  ACE  dams. 
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